Email Security Check for Victorian Estate Planning Lawyers: SPF, DMARC and DKIM Aligned to Privacy Act Obligations

You hold testamentary instructions, family trust structures, and beneficiary identities for clients across Victoria. A spoofed email purporting to come from your firm — sent to a beneficiary, an executor, or a financial institution — would land in inboxes that trust your domain implicitly. The Email Security Check tells you, in plain language, whether your firm’s email domain can be impersonated, and what to fix first.

Why it matters now

The Privacy Act 1988 (Cth) applies to legal practices with an annual turnover above $3 million and to many smaller practices through specific provisions. The Office of the Australian Information Commissioner (OAIC) administers the Act and the 13 Australian Privacy Principles, including APP 11 which requires reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access or disclosure. Business email compromise targeting law firms — and impersonation of law firms in onward attacks on clients — is a recognised cause of notifiable data breaches reported under the Notifiable Data Breaches scheme administered by the OAIC. The Australian Cyber Security Centre publishes general guidance on domain authentication (SPF, DKIM and DMARC) as a baseline control against email spoofing at https://www.cyber.gov.au/.

The 5-minute view

• SPF, DKIM and DMARC are three DNS-published email authentication standards that together let receiving mail servers verify whether mail claiming to come from your domain is legitimate.
• Without a DMARC policy at p=quarantine or p=reject, a third party can send spoofed mail using your firm’s domain in the visible “From” header, and receiving servers will not reliably reject it.
• The Privacy Act 1988 (Cth) Australian Privacy Principle 11 requires APP entities to take reasonable steps to protect personal information from unauthorised disclosure; domain authentication is one such commonly recognised step.
• The OAIC Notifiable Data Breaches scheme requires APP entities to notify the Commissioner and affected individuals of eligible data breaches likely to result in serious harm.
• Estate planning files concentrate sensitive personal information — beneficiary identities, asset registers, executor contact details — which raises the “serious harm” threshold risk if a spoofed email is used to phish those parties.
• An SPF record alone does not protect the visible “From” header that end users see; DMARC is the policy layer that ties SPF and DKIM results to the user-visible sender.
• Misconfigured SPF records (e.g. exceeding the 10 DNS lookup limit, or using +all) silently degrade protection and are common findings on first-time audits.

What DRMO does about it

The Email Security Check is a productised L1 diagnostic against one email domain. You submit your firm’s primary mail domain. We query the public DNS records for SPF, DKIM selectors (where discoverable) and DMARC, parse them against the published RFC specifications and ACSC’s general domain-hardening guidance, and produce a PDF report describing the current state, the gaps, and the specific record changes recommended. This is the entry-level diagnostic in the DRMO service catalogue and is designed for solo and small-firm estate practices that need a documented, defensible baseline assessment of their email authentication posture to support APP 11 reasonable-steps evidence. It does not modify your DNS — implementation is performed by your IT provider using the report’s recommended record values.

The deliverable

• PDF report scoped to one email domain (typically 8–12 pages).
• Current-state findings: SPF record parsed, DMARC policy and reporting addresses parsed, DKIM selectors where discoverable.
• Gap analysis against the ACSC domain-hardening baseline.
• Recommended DNS record values, ready to hand to your IT provider for implementation.
• Plain-English summary suitable for inclusion in an APP 11 reasonable-steps file note.
• Delivered via email within 2 business days of domain submission and payment.

CTA

Run the Email Security Check — AUD $99

A single-domain productised diagnostic. No discovery call required. Suitable for any Victorian estate planning practice that has not had its email authentication posture independently reviewed in the last 12 months.

Sources

1. Office of the Australian Information Commissioner — The Privacy Act: https://www.oaic.gov.au/privacy/the-privacy-act
2. Australian Cyber Security Centre — general guidance on email and domain hardening: https://www.cyber.gov.au/
3. Office of the Australian Information Commissioner — general information on the Notifiable Data Breaches scheme: https://www.oaic.gov.au/

DRMO capability references:

• Email Security Check (L1 service shape, productised, Stripe-routed)
• DRMO service catalogue, L1 tier